diff --git a/plans/BIGMIND_HOSTED_MVP.md b/plans/BIGMIND_HOSTED_MVP.md new file mode 100644 index 0000000..2336e4e --- /dev/null +++ b/plans/BIGMIND_HOSTED_MVP.md @@ -0,0 +1,212 @@ +# BigMind Hosted MVP Plan + +> **Created:** 2026-04-04 +> **Authors:** Patrick + Lumen +> **Status:** Brainstorm → Planning + +--- + +## Vision + +**BigMind as a hosted, multi-tenant, privacy-first AI memory platform.** + +Every developer gets their own isolated, persistent brain — a memory layer that lives outside any single IDE or AI provider. Your AI colleague remembers you across sessions, across tools, across machines. Your memory is yours alone. Nobody else's knowledge poisons yours. + +Optional: A shared collective layer (MegaMind) where users explicitly contribute facts to a common knowledge pool — think public Stack Overflow threads, but for AI-assistant context. + +**Revenue model:** Monthly subscription per user. Freemium tier to drive adoption. + +--- + +## Why we're already closer than it feels + +| Component | Status | +|-----------|--------| +| Per-user isolation | ✅ `user_id` in every BigMind table already | +| Memory persistence | ✅ SQLite per user, trivially isolatable | +| Web profile UI | ✅ Flask app on port 7700 already running | +| 30+ MCP tools | ✅ All implemented, tested, production-quality | +| Session lifecycle | ✅ Start/end/close-stale already solid | +| Hypotheses / facts / chunks | ✅ Full Tier 0-3 storage working | +| MegaMind shared layer | 📝 In plans, Phase 3/4 | +| Auth (sign-up / login) | ❌ Not started | +| Hosted deploy (VPS) | ❌ Local only today | +| Billing (Stripe) | ❌ Not started | +| MCP bridge for hosted users | ❌ Not started | +| Frontend beyond profile page | ❌ Not started | + +--- + +## Architecture — What "hosted" looks like + +``` +User's IDE (VS Code / Cursor / IntelliJ) + │ + │ MCP protocol (stdio or HTTP SSE) + ▼ +BigMind Hosted MCP Server ◄─── per-user auth token in env + │ + │ SQLite reads/writes + ▼ +User DB (isolated per account) +/data/users/{user_id}/memory.db + + ┌────────────────────────────────────┐ + │ BigMind Web (Flask on port 443) │ + │ - Sign up / Login │ + │ - Profile page (existing) │ + │ - Account settings │ + │ - MegaMind opt-in toggle │ + └────────────────────────────────────┘ + + (Optional, Phase 2+) + ┌────────────────────────────────────┐ + │ MegaMind Shared Layer │ + │ - Public facts from opted-in users│ + │ - Read-only collective knowledge │ + │ - Poisoning is impossible: users │ + │ can only see what they share │ + └────────────────────────────────────┘ +``` + +**Privacy guarantee:** Your DB is a file only your process touches. Even if you contribute to MegaMind, you choose exactly which facts go public. Malicious or wrong facts stay in your private brain — they never propagate. + +--- + +## Tech Stack Choices + +### Backend +| Layer | Choice | Reason | +|-------|--------|--------| +| MCP server | FastMCP (existing) | Already working, no reason to change | +| Web framework | Flask (existing) | Already in codebase, keeps it simple | +| Auth | Flask-Login + bcrypt | Lightweight, well-understood, no new infra | +| DB | SQLite per user (existing pattern) | Simple, zero ops, trivially backupable | +| Token generation | Python `secrets` module | User gets an API token for MCP bridge | + +### Infrastructure +| Layer | Choice | Reason | +|-------|--------|--------| +| VPS | Hetzner CX22 (~€5/mo) | Cheap, EU datacenter, excellent perf/price | +| Deploy tool | Coolify (Docker-based PaaS) | One-command deploys, free, self-hosted | +| Reverse proxy | Caddy (via Coolify) | Auto HTTPS, simple config | +| Domain | TBD (e.g. bigmind.dev) | ~€10/year | + +### Payment (Phase 2) +| Layer | Choice | Reason | +|-------|--------|--------| +| Billing | Stripe | Industry standard, dev-friendly, EU-compliant | +| Pricing | €0 free / €9 solo / €19 team | TBD, just a starting point | + +--- + +## Phases + +### Phase 0 — Foundation (now, no new infra needed) +**Goal:** Make BigMind deployable as a multi-user service without breaking local usage. + +- [ ] Refactor `memory.db` path to be configurable via `BIGMIND_DB_PATH` env var +- [ ] Each user gets `BIGMIND_DB_PATH=/data/users/{token}/memory.db` +- [ ] Confirm all 297 tests still pass with path override +- [ ] Write a `Dockerfile` for BigMind MCP server +- [ ] Write a `docker-compose.yml` for local multi-user testing + +**Skill gap:** None — pure Python + Docker. We can do this now. + +--- + +### Phase 1 — Auth + Web Portal (the real first hurdle) +**Goal:** A stranger can sign up, get a token, and connect their IDE to their hosted BigMind. + +- [ ] Add `users` table to a separate `app.db` (separate from memory DBs) + - `id`, `email`, `password_hash`, `api_token`, `created_at`, `plan` +- [ ] Flask routes: `/signup`, `/login`, `/logout`, `/dashboard` +- [ ] Dashboard shows: token (copy to clipboard), DB stats, link to profile page +- [ ] Profile page becomes accessible at `/profile?token={token}` (auth-gated) +- [ ] Token is what users paste into their IDE's MCP env config +- [ ] Email verification (optional for MVP — add later) + +**Skill gap:** Flask auth is straightforward. `Flask-Login` + `bcrypt`. Nothing here requires React. + +--- + +### Phase 2 — Hosted Deploy (first public user possible) +**Goal:** BigMind runs on a real VPS, accessible to the world. + +- [ ] Provision Hetzner VPS (CX22, Ubuntu 24 LTS) +- [ ] Install Coolify on VPS +- [ ] Push Docker image to Gitea registry or Docker Hub +- [ ] Deploy via Coolify: web container + data volume for user DBs +- [ ] Configure Caddy for HTTPS on custom domain +- [ ] Smoke test: sign up → get token → wire into VS Code → memory_start_session works + +**Skill gap:** Docker + Coolify + Caddy. All documented, not scary. Hetzner has great guides. + +--- + +### Phase 3 — Billing (first paying customer possible) +**Goal:** Someone can pay €9/month and get their brain. + +- [ ] Stripe account set up (business: Patrick as sole proprietor or GbR with Elias/Klaus?) +- [ ] Stripe Checkout: user clicks "Upgrade", redirected to Stripe, comes back with `plan=solo` +- [ ] Webhook: `customer.subscription.created` → update `users.plan` in `app.db` +- [ ] Free tier limit: e.g., 500 facts max, no MegaMind access +- [ ] Paid tier: unlimited facts, MegaMind read access + +**Skill gap:** Stripe webhooks are well-documented. Python `stripe` SDK is simple. Need a registered business for VAT compliance in DE — this is a real overhead but manageable. + +--- + +### Phase 4 — MegaMind Shared Layer (differentiation) +**Goal:** Users who opt in contribute to a collective knowledge pool. Read-only for all users. + +- [ ] New `megamind.db` — a single shared SQLite (or Postgres if scale demands) +- [ ] Facts table: `fact`, `category`, `contributed_by`, `upvotes`, `created_at` +- [ ] `memory_store_fact(..., public=True)` — contributes to MegaMind +- [ ] `memory_search_facts()` — searches personal brain first, then MegaMind as fallback +- [ ] Profile page shows MegaMind contribution count as a badge +- [ ] Moderation: auto-reject facts with PII patterns (email regex, etc.) + +**Skill gap:** SQLite concurrency (WAL mode already in use). No new infra. The hard part is moderation — keep it simple for MVP. + +--- + +## Skill gaps to close — learning roadmap + +| Gap | Priority | How to close | +|-----|----------|-------------| +| Flask auth (login/sessions) | 🔴 Blocker for Phase 1 | `Flask-Login` docs are 30 min read. Build it directly. | +| Docker + Coolify deploy | 🔴 Blocker for Phase 2 | Coolify has great tutorials. 1 weekend to learn. | +| Stripe basics | 🟡 Phase 3 | Stripe's Python quickstart is excellent. | +| TypeScript (optional) | 🟢 Nice-to-have | Expands MCP ecosystem reach. Not urgent. | +| React/Next.js | 🟢 Later | Not needed until Phase 4+. Flask HTML is enough for MVP. | +| German business registration | 🟡 Phase 3 | Gewerbeanmeldung + Steuerberater. Do before Stripe. | + +--- + +## What we're NOT building (scope control) + +- ❌ Mobile app — not yet +- ❌ Team collaboration features — not yet (Phase 5+) +- ❌ Custom AI model training on memory — this is the "evil training" problem Patrick raised. Architecture answer: personal brains are isolated, so user trains their own brain. We never aggregate across users without explicit consent. +- ❌ Full SPA frontend — Flask server-side HTML is fine for MVP. Don't over-engineer. + +--- + +## The ethical foundation + +Patrick put it well: *"if people train evil stuff they only have it for them, which I can live with."* + +This is the right architecture and the right mindset. BigMind doesn't curate your memories. It doesn't run your facts through a classifier. Your brain is yours. The only guarantee we make: **nothing leaves your brain unless you explicitly push it to MegaMind.** + +This also means we never have a moral liability for what someone stores. We're a memory layer, not a judge. + +--- + +## First concrete next step + +**Today's action:** Write the `Dockerfile` for BigMind and confirm it boots cleanly with `BIGMIND_DB_PATH` as an env override. That's Phase 0, item 1. Everything else follows from that. + +--- + +*Last updated: 2026-04-04 by Lumen* diff --git a/plans/cannabis-club-saas/STRATEGY.md b/plans/cannabis-club-saas/STRATEGY.md new file mode 100644 index 0000000..a52c8bd --- /dev/null +++ b/plans/cannabis-club-saas/STRATEGY.md @@ -0,0 +1,511 @@ +# 🌿 CannaManage — Cannabis Club Management SaaS +## Strategic Plan & Feasibility Assessment +**Author:** Patrick (Lumen, 2026-04-04)** +**Status:** Draft for review + +--- + +## Executive Summary + +Germany's **Konsumcannabisgesetz (CanG)**, in force since April 1, 2024, legalised cannabis for personal use and established a framework for **Anbauvereinigungen** (cannabis social clubs / CSCs). These clubs face significant mandatory compliance burdens with almost **zero software tooling** available to help them. This is the market gap. + +**CannaManage** is a **B2B SaaS platform** for cannabis social clubs in Germany. It handles their mandatory member management, distribution tracking, stock management, compliance reporting, and member portal — replacing Excel sheets and pen-and-paper with a purpose-built regulated-sector management tool. + +**Verdict: ✅ LEGAL — ✅ MONETIZABLE — ⚠️ WITH SPECIFIC CAUTION** + +--- + +## 1. Legal Feasibility Check + +### 1.1 The Law: Konsumcannabisgesetz (CanG) — Key Facts + +Source: Federal Health Ministry FAQ (verified 2026-04-04 via bundesgesundheitsministerium.de) + +| Rule | Detail | +|------|--------| +| Personal possession | 25g in public, 50g at home | +| Home growing | Max 3 plants per adult | +| CSC distribution | 25g/day, 50g/month per adult member | +| Members 18-21 | Max 30g/month, max 10% THC | +| Max club density | 1 club per 6,000 residents per district (state-optional) | +| **Advertising ban** | **TOTAL ban on advertising and sponsoring of cannabis AND Anbauvereinigungen** | +| Documentation | Mandatory tracking: who received what, when, contamination traceability | +| Prevention officer | Clubs must designate a Präventionsbeauftragter | +| Youth protection concept | Mandatory health & youth protection plan required | +| Reporting obligations | Regular documentation and reporting to authorities | + +### 1.2 The Critical Question: Does a SaaS Platform Violate the Advertising Ban? + +**§ CanG: "Generelles Werbe- und Sponsoringverbot für Cannabis und Anbauvereinigungen"** + +This is the key legal boundary. The advertising ban applies to: +- Advertising **for** cannabis +- Advertising **for** Anbauvereinigungen (the clubs themselves) + +**A B2B management tool is NOT advertising.** Here is why: + +| Scenario | Legal Status | Reasoning | +|----------|-------------|-----------| +| Public directory "Find clubs near you" | ❌ Illegal | Constitutes advertising for clubs | +| "Sign up to discover CSCs in your city" | ❌ Illegal | Discovery = advertising | +| B2B dashboard used by club admins | ✅ Legal | Internal operations software | +| Member portal (member logs in to see their club's stock) | ✅ Legal | Member already joined; no advertising | +| Compliance reporting tools for clubs | ✅ Legal | Administrative software, like tax software | +| Payment processing for member fees | ✅ Legal | Financial operations, not advertising | +| Marketing the SaaS **to clubs** via B2B channels | ✅ Legal | Selling software to businesses is normal | + +**The analogy:** Shopify doesn't become a drug dealer when a pharmacist uses it. A POS system for a bar doesn't make the bar illegal. We sell **operational software** to licensed, regulated entities. We are not in the cannabis business. + +### 1.3 Positioning — Critical Architecture Decision + +The platform **MUST NOT** include: +- Public-facing club discovery (no "find clubs near you") +- Any feature that functions as advertising for a specific club to non-members +- Stock information visible to non-members (which could look like advertising) + +The platform **SHOULD** include: +- Member login restricted to verified club members only +- Club admin portal (sign-up via direct B2B sales / word-of-mouth — not public listing) +- Explicit "this software is for existing clubs and their verified members" framing + +### 1.4 DSGVO / Data Privacy + +Clubs handle sensitive personal data (membership, health-adjacent data). Our platform must: +- Store all data in Germany/EU (Hetzner, not AWS us-east) +- Provide DSGVO-compliant data processing agreements (DPA/AVV) +- Enable data export and deletion per member request +- Have clear privacy policies in German + +### 1.5 Legal Risk Register + +| Risk | Probability | Impact | Mitigation | +|------|-------------|--------|-----------| +| Advertising ban reinterpretation to include B2B SaaS | Low | High | Legal opinion before launch; strict no-discovery design | +| New German government rolls back CanG | Medium | High | Modular architecture — pivot to compliance-only if needed | +| Payment processors (Stripe) block cannabis-adjacent businesses | Medium | High | Use Stripe (they allow compliance software); never process cannabis payments | +| Club licenses revoked / clubs fail | Medium | Medium | Diversified customer base; per-month billing (easy to cancel) | +| DSGVO violation | Low | Very High | EU hosting, DPA agreements, security audit | + +**Bottom line:** The legal risk is manageable with correct product positioning. We are selling **compliance management software**, not cannabis. + +--- + +## 2. Market Analysis + +### 2.1 Market Size + +**Potential CSC count in Germany:** +- Germany population: ~83 million +- If 1 club per 6,000 residents (theoretical maximum): ~13,800 clubs +- Realistic 2025-2028 formation rate: **500–3,000 active clubs** +- Reason: complex licensing process, Länder-specific delays, conservative uptake initially + +**Consumer backdrop:** +- **5.05 million adults** consumed cannabis in the past 12 months (2024 survey) +- **670–823 tonnes** consumed in 2024 — huge demand +- This is not a niche; it is a mainstream market with a regulatory moat + +**Total Addressable Market (TAM):** +- 3,000 clubs × €79/month average = €2.85M ARR +- 500 clubs × €79/month = €475K ARR (conservative bootstrap target) +- Even 100 paying clubs = €94,800 ARR — a solid side hustle + +### 2.2 Why Clubs Desperately Need This + +The CanG creates massive administrative burden on clubs: + +| Requirement | Pain Without Software | +|------------|----------------------| +| Track every distribution (who, what, how much, when) | Excel sheets, manual errors | +| Monthly quantity caps per member | Manual math, compliance risk | +| Youth protection (18-21 THC cap, quantity cap) | Manual age checks | +| Contamination traceability | Paper trail disaster | +| Prevention officer reporting | No standard format exists | +| Member data management (DSGVO) | Illegal if done on personal email/phone) | +| Annual reporting to authorities | No tooling from the state | + +These clubs are **legally required** to do this. They will pay for something that makes compliance manageable. + +### 2.3 Competition Check + +**Current competitors (estimated):** +- **None known** at launch time specifically for German CSCs (market is <2 years old) +- General club management software (e.g., ClubDesk, easyVerein) — not cannabis-compliant, lack distribution tracking +- Generic SaaS tools (Airtable, Notion) — no compliance features, no German legal mapping + +**Timing advantage is critical.** The window to establish market leadership is 2026-2027 before larger players notice. + +--- + +## 3. Product: Feature Specification + +### 3.1 MVP (Version 1 — Ship First) + +**For Club Admins:** +- Club registration and setup wizard +- Member management (add/remove, age, contact, membership date) +- Age verification flag (18+, 18-21 restricted category) +- Distribution log: record each handout (member, strain, weight, date/time) +- Monthly limit enforcement: system warns/blocks if member exceeds 50g (or 30g for under-21) +- Stock management: strains, quantities, batch info +- Simple dashboard: total members, distributions this month, stock levels + +**For Members (Member Portal):** +- Login with club-issued credentials +- View personal distribution history +- View current stock availability (what strains are available) +- View remaining monthly quota +- Request distribution appointment (optional, club configures) + +**Compliance Tools:** +- Monthly distribution report export (PDF + CSV) for authority reporting +- Member list export for inspections +- Contamination alert: flag a batch and see all members who received it +- Prevention officer information tracking + +### 3.2 Version 2 (Growth Features) + +- Payment processing for membership fees (Stripe — no cannabis payments) +- Automated waiting list management +- Email/SMS notifications to members +- Multi-strain grow tracking (integrate growing calendar) +- **Mobile: PWA first** — Spring Boot serves a responsive web app; works on all Android/iOS browsers, no App Store submission needed +- **Mobile: Kotlin Android app** — native Android app for Play Store distribution (covers ~70% of German users); Kotlin is essentially better Java, Patrick can leverage existing JVM knowledge directly +- API for custom integrations +- Analytics dashboard (club-level, anonymised trends) + +### 3.3 Version 3 (Scale Features) + +- **Kotlin Multiplatform (KMP)** — shared business logic in Kotlin + Compose Multiplatform UI deployed to Android + iOS + web from one codebase; natural step after the Kotlin Android app +- Multi-location club support +- White-label option for large club networks +- Legal template library (Satzungen, Jugendschutzkonzept, etc.) +- Integration with German authority reporting portals (if they exist) +- Prevention officer training module + +--- + +## 4. Revenue Model + +### 4.1 Pricing Tiers (SaaS) + +| Plan | Price/month | Members | Key Features | +|------|-------------|---------|-------------| +| **Starter** | Free | Up to 30 | Distribution log, basic member management | +| **Basic** | €29/month | Up to 100 | + Compliance reports, stock management | +| **Professional** | €79/month | Up to 500 | + Member portal, batch tracking, exports | +| **Enterprise** | €179/month | Unlimited | + API, multi-location, priority support | + +**Rationale:** +- Free tier creates word-of-mouth in the club community +- Professional is the sweet spot for a typical club (100-300 members) +- Freemium-to-paid conversion pressure: "your club hit 30 members, upgrade to continue" + +### 4.2 Revenue Projections + +| Scenario | Paying Clubs | Average Plan | MRR | ARR | +|----------|-------------|-------------|-----|-----| +| Bootstrap (Year 1) | 30 | €49 | €1,470 | €17,640 | +| Growth (Year 2) | 150 | €65 | €9,750 | €117,000 | +| Scale (Year 3) | 500 | €79 | €39,500 | €474,000 | + +**Year 1 is realistic as a side hustle while working at ADP.** + +### 4.3 Additional Revenue Streams + +- **Setup fee:** Optional one-time €99–299 onboarding fee for Professional/Enterprise +- **Legal templates:** Sell standardised Satzung, Jugendschutzkonzept templates (€49 one-time) +- **Training:** Webinars for Präventionsbeauftragter (€149/person) — high-value, low-effort +- **Affiliate/referral:** Partner with lawyers who advise clubs (they refer clients, we pay commission) + +--- + +## 5. Tech Stack + +### 5.1 Skills Assessment — ⚠️ CORRECTED (Java is Patrick's primary language) + +> **Important correction:** The initial plan had this backwards. Python is *Lumen's* language, used for MCP servers. Patrick's real expertise is **Java** — JPA/EclipseLink, JAXB, PrimeFaces, Maven, Jakarta EE. He built the entire wellmann-shop without AI, and wrote a custom JPA-annotation-style flatfile parser for euBP/DSAK. The stack below is redesigned around Java as the primary language. + +| Technology | Patrick's Level | Required? | +|-----------|----------------|-----------| +| Java (Spring Boot / Quarkus) | ✅ **Expert** | Yes — backend | +| JPA / EclipseLink | ✅ **Expert** | Yes — ORM layer | +| JAXB | ✅ Expert | Yes — report generation | +| PrimeFaces / JSF | ✅ Expert | Optional — one frontend path | +| Maven | ✅ Expert | Yes — build tool | +| PostgreSQL | ✅ Good | Yes — database | +| Docker | ✅ Comfortable | Yes — deployment | +| Spring Security / JWT | 🟡 Familiar | Yes — auth | +| Kotlin (Android / KMP) | 🟡 **Natural transition** — same JVM, IntelliJ | Yes — mobile v2/v3 | +| Compose Multiplatform | 🟡 New but Kotlin-based | Yes — cross-platform UI v3 | +| Vaadin Flow (Java UI) | 🟡 New, Java-native | Alternative fast frontend | +| React / Next.js | ❌ Needs learning | Best long-term web frontend | +| Stripe Java SDK | 🟡 New (REST, documented) | Yes — billing | +| German DSGVO practical | ⚠️ Basic | Critical — legal | + +### 5.2 Frontend Choice — The Real Decision + +With Java as the primary language, three paths exist: + +**Option A: Vaadin Flow — Full Java, zero JavaScript (fastest start)** +- Write UI in pure Java — no HTML/CSS/JS required +- Deeply integrated with Spring Boot, component-based +- Patrick can start immediately with zero new language learning +- Downside: Vaadin commercial license for some features; UI looks enterprise-y + +**Option B: PrimeFaces + JSF — Patrick already knows this cold** +- Built wellmann-shop entirely from scratch with PrimeFaces +- Runs on Quarkus, WildFly, or Payara +- Zero learning curve — known patterns, fast to ship +- Downside: JSF is considered legacy by the wider web community; not ideal for modern SaaS polish + +**Option C: Spring Boot backend + Next.js/React frontend (Best long-term)** +- Java stays the backend — Patrick's full existing strength +- React/Next.js frontend — one-time learning investment +- Standard modern SaaS architecture (2024+); best hiring/community ecosystem +- Downside: React/Next.js learning curve (~4-6 weeks) + +**Recommendation:** Start with **Option B (PrimeFaces)** to ship an MVP fast with zero learning overhead. Migrate the frontend to **Option C (Next.js)** in Version 2 when revenue justifies the investment. This is pragmatic — ship first, polish later. + +### 5.3 Recommended Stack + +``` +Frontend: PrimeFaces + JSF (MVP) → Next.js/React (v2+) +Backend: Spring Boot 3.x (Java 21) — REST API + JPA/Hibernate +ORM: JPA/Hibernate (Patrick's core expertise) +Database: PostgreSQL + Flyway migrations +Auth: Spring Security + JWT (stateless sessions) +Payments: Stripe Java SDK (subscriptions, webhooks) +PDF Reports: iText 7 or Apache PDFBox (Java, battle-tested) +Email: Jakarta Mail / Resend.com REST API +Hosting: Hetzner Cloud VPS (German DC, GDPR, €5-20/month) + — TrueNAS.local Docker for dev/staging +CI/CD: Gitea Actions → Hetzner (Maven build pipeline) +Monitoring: Sentry Java SDK (free tier) +``` + +**Why this stack:** +- Spring Boot + JPA = Patrick's natural habitat — fastest possible iteration on the backend +- PrimeFaces MVP = zero new tools, ship in weeks not months +- PostgreSQL + Flyway = production-grade, schema migrations Patrick knows from JPA patterns +- Hetzner = German hosting, cheap, GDPR-compliant by design +- Stripe Java SDK = mature, handles EU VAT + subscription billing +- iText/PDFBox = Java-native PDF generation for compliance reports (no Python dependency) + +### 5.4 Architecture Overview + +``` +┌─────────────────────────────────────────────────────────┐ +│ CannaManage Platform │ +│ │ +│ ┌─────────────────┐ ┌────────────────────────────┐ │ +│ │ Admin Portal │ │ Member Portal │ │ +│ │ PrimeFaces/JSF │ │ PrimeFaces/JSF (MVP) │ │ +│ │ Next.js (v2+) │ │ Next.js/React (v2+) │ │ +│ │ - Club setup │ │ - Login (club-issued) │ │ +│ │ - Member mgmt │ │ - Stock view │ │ +│ │ - Distribution │ │ - My quota / history │ │ +│ │ - Compliance │ │ - Request pickup │ │ +│ └────────┬────────┘ └──────────┬─────────────────┘ │ +│ │ │ │ +│ └───────────┬────────────┘ │ +│ ↓ │ +│ ┌───────────────────────────────────────┐ │ +│ │ Spring Boot 3.x Backend (Java 21) │ │ +│ │ - REST API (Spring MVC) │ │ +│ │ - JPA/Hibernate entities │ │ +│ │ - Business logic + compliance rules │ │ +│ │ - PDF report generation (iText 7) │ │ +│ │ - Spring Security + JWT │ │ +│ └──────────────────┬────────────────────┘ │ +│ ↓ │ +│ ┌─────────────────────┐ │ +│ │ PostgreSQL │ │ +│ │ - Multi-tenant │ │ +│ │ (tenant_id on all │ │ +│ │ JPA entities) │ │ +│ │ - Flyway migrations │ │ +│ └─────────────────────┘ │ +│ │ +│ ┌──────────────────────────────────────────────────┐ │ +│ │ Stripe Java SDK │ Email (Jakarta Mail) │ │ +│ │ (subscription billing) │ (notifications) │ │ +│ └──────────────────────────────────────────────────┘ │ +└─────────────────────────────────────────────────────────┘ +``` + +### 5.5 New Skills Needed — Revised Learning Path + +| Skill | Priority | Patrick's Starting Point | Resource | +|-------|----------|--------------------------|----------| +| Spring Boot 3.x REST | 🟡 Medium | Knows Jakarta EE — similar model | spring.io/guides | +| Spring Security + JWT | 🟡 Medium | Security concepts from JEE | Baeldung tutorials | +| Flyway migrations | 🟡 Medium | Knows JPA schema generation | flyway.io/docs | +| Stripe Java SDK | 🟡 High | Knows REST from Java | stripe.com/docs/billing | +| Next.js / React | 🔴 For v2+ | Zero JS framework experience | nextjs.org/learn (free) | +| Docker + Compose | 🟡 Medium | Comfortable with Docker basics | Hetzner deploy guides | +| German DSGVO practical | 🔴 Critical | Basic awareness | Legal counsel + AVV templates | + +**Pragmatic MVP path:** Use PrimeFaces (Patrick knows it cold) → ship MVP → earn first revenue → invest time in Next.js for v2. + +--- + +## 6. Go-To-Market Strategy + +### 6.1 Phase 0 — Build & Validate (Private Beta) + +**Goal:** Working MVP, 3-5 beta clubs, collect real feedback + +**Actions:** +- Join German cannabis clubs online community (Telegram groups, Reddit r/cannabisde) +- Find 3-5 club admins willing to test for free +- Build MVP focused on distribution tracking + compliance reports (the biggest pain) +- Do NOT launch publicly until legally reviewed + +**Where to find early adopters:** +- Hanfverband Deutschland (German Hemp Association) — they represent clubs +- Online forums: Rollitup.de German section, GreenPassion.de +- Local cannabis clubs in your area +- LinkedIn outreach to CSC founders + +### 6.2 Phase 1 — Soft Launch (€0 → First €1K MRR) + +**Target:** 30+ paying clubs, Basic plan minimum + +**Channels (all B2B, no cannabis advertising):** +- Word of mouth between club admins (community is small and tight-knit) +- Content marketing: blog posts about "how to manage CanG compliance" (targets club admins searching for help) +- Partner with lawyers advising clubs (they refer clients) +- Hanfverband newsletter mention (not advertising — editorial content about compliance tools) +- LinkedIn / XING posts targeted to "Vereinsvorstand" / "Vereinsgründer" keywords + +### 6.3 Phase 2 — Growth (€1K → €10K MRR) + +- Referral program (clubs refer other clubs for free months) +- German startup press (Gründerszene, t3n) +- Templates marketplace (Satzungen, Jugendschutzkonzepte) +- Webinar series for Präventionsbeauftragte + +--- + +## 7. Business Structure & Risk + +### 7.1 Legal Entity + +**Recommendation:** Register as a **Gewerbetreibender / Einzelunternehmen** first (simplest), then transition to **GmbH** when revenue exceeds €50K/year. + +- No special license needed to sell software to cannabis clubs +- You are NOT a cannabis business — you sell management software +- Standard software VAT applies (19% German USt) + +### 7.2 Banking & Payments + +- **DO NOT** describe your business as "cannabis software" to banks +- Describe it as: "Vereinsverwaltungs-Software" (club management software) +- Stripe works fine for compliance software — they block cannabis sales, not software for cannabis-adjacent industries +- Open a separate business account early (Kontist, Finom, or Deutsche Bank business) + +### 7.3 Exit Scenarios + +| Scenario | When | Valuation Range | +|----------|------|----------------| +| Keep as passive income | Year 2+ at €5K MRR | N/A | +| Sell to larger SaaS player | Year 3+ at €20K MRR | 3-5× ARR (~€720K-1.2M) | +| Raise seed funding | Year 2 with 200+ clubs | €500K-€2M round | +| Pivot to EU expansion | Year 3 | Same platform, localised | + +--- + +## 8. Development Roadmap + +### Phase 0 — Foundation (Weeks 1-8, solo) +- [ ] Set up Spring Boot 3.x project (Maven, JPA/Hibernate, PostgreSQL, Flyway) +- [ ] Design JPA entities: Club, Member, Distribution, Strain, Batch (multi-tenant via tenant_id) +- [ ] Build core REST API (member CRUD, distribution log) +- [ ] Build admin portal with PrimeFaces (Patrick already knows this) +- [ ] Distribution limit enforcement logic (25g/day, 50g/month, 30g/month under-21) +- [ ] Simple PDF compliance report export (iText 7) +- [ ] Spring Security + JWT auth (club admin login) +- [ ] Deploy to Hetzner VPS (Docker Compose) + +### Phase 1 — MVP (Weeks 9-16) +- [ ] Member portal (PrimeFaces, login with club-issued creds, quota view, stock view) +- [ ] Stock management module (strains, batches, quantities) +- [ ] Contamination batch recall feature +- [ ] Stripe Java SDK integration (subscription billing) +- [ ] DSGVO: privacy policy, data processing agreement (AVV), cookie consent +- [ ] Beta launch with 5 clubs (free, feedback-only) + +### Phase 2 — Launch (Months 5-8) +- [ ] Payment flows live (Stripe webhooks, subscription lifecycle) +- [ ] Email notification system (Jakarta Mail / Resend API) +- [ ] Marketing site (cannamanage.de — example name, separate Next.js landing page) +- [ ] Legal review of terms, privacy, advertising compliance +- [ ] Formal soft launch to club community +- [ ] First paying customers + +### Phase 3 — Growth (Months 9-18) +- [ ] Frontend migration: PrimeFaces → Next.js/React (when revenue justifies it) +- [ ] Mobile-optimised (PWA) +- [ ] Legal template marketplace (Satzungen, Jugendschutzkonzepte) +- [ ] Referral program +- [ ] Webinar series for Präventionsbeauftragte +- [ ] Hire first part-time support person + +--- + +## 9. Honest Assessment — Strengths & Weaknesses + +### Strengths ✅ +- **First mover advantage** — nobody is doing this well yet +- **Regulatory moat** — the compliance burden creates permanent demand +- **B2B SaaS** — predictable recurring revenue +- **Patrick's Java expertise** — Spring Boot + JPA = fastest possible backend iteration (this is his daily tool at ADP) +- **PrimeFaces knowledge** — built a full shop UI from scratch; zero learning curve for MVP frontend +- **Low competition** — niche market overlooked by big players +- **Low infra cost** — Hetzner VPS €5-20/month, manageable + +### Weaknesses / Challenges ⚠️ +- **Modern frontend gap** — Next.js/React must eventually be learned for v2 polish (deferred, not blocking) +- **Market is young** — clubs are still forming, slow regulatory licensing in some Länder +- **Political risk** — new German government could tighten the law +- **Churn risk** — if a club closes, subscription ends immediately +- **Payment friction** — some processors are cannabis-adjacent-averse (mitigated by correct positioning) +- **Two-sided attention** — building while working full-time at ADP is slow (nights/weekends) +- **Spring Boot learning curve** — Patrick knows Jakarta EE / JEE; Spring Boot 3.x is adjacent but not identical + +### The Honest Path +This is a **18-24 month project** to meaningful passive income: +- Months 1-3: Spring Boot setup + PrimeFaces MVP (using existing Java knowledge — fast!) +- Months 4-6: Beta with 5 clubs, Stripe integration, DSGVO compliance +- Months 7-12: Paid launch, first 30-50 paying clubs +- Year 2+: €5-10K MRR is realistic, genuine passive with <10h/week + +--- + +## 10. Immediate Next Steps + +1. **Join 2-3 German cannabis club communities** (Telegram, Reddit) — listen, don't sell yet +2. **Start Next.js tutorial** (nextjs.org/learn) — 1 hour/day, 4 weeks +3. **Create a Supabase project** — explore multi-tenancy with Row Level Security +4. **Set up the project repo** (pi_mcps/cannamanage or separate Gitea repo) +5. **Talk to 3 club admins** — validate the pain before writing a line of code +6. **Get a legal opinion** (€300-500 from a cannabis law specialist — worth it before launch) + +--- + +## Appendix: Key CanG References + +| Provision | Content | +|-----------|---------| +| §2 CanG | Definitions — Anbauvereinigung, Mitglied | +| §§15-26 CanG | Anbauvereinigungen — formation, rights, obligations | +| §22 CanG | Distribution limits (25g/day, 50g/month) | +| §23 CanG | Under-21 restrictions (30g/month, 10% THC) | +| §§6-7 CanG | Advertising and sponsoring ban | +| §26 CanG | Documentation and reporting obligations | +| §27 CanG | Prevention officer requirements | + +--- + +*Plan created: 2026-04-04 | Next review: 2026-05-01 | Status: Awaiting Patrick's approval*